PowerTag Link Gateway – User Guide PDF
DOCA0157EN-08

Security Recommendations for PowerTag Link Gateway Commissioning

Default User Accounts

Default user accounts are provided for supporting the initial connections with product which is needed to perform the commissioning steps.

WARNING
POTENTIAL COMPROMISE OF SYSTEM AVAILABILITY, INTEGRITY, AND CONFIDENTIALITY
Change default passwords at first use to help prevent unauthorized access to device settings, controls, and information.
Failure to follow these instructions can result in death, serious injury, or equipment damage.

The accounts and the associated passwords are described in the user documentation. It is not safe to keep on using these accounts during operation.

During the commissioning step, these accounts should be replaced by the new accounts, which is intended for the product operation and maintenance. The account should be secured by a strong password.

Product Configuration of Security Services

Most product services are disabled by default to reduce the attack surface and exposure to a minimum. Consequently, it is recommended to only enable the services that are strictly required for the product operation. When HTTPS is enabled, all communications done on the HTTP port are automatically redirected to the HTTPS port.

Some security services such as HTTPS can be configured to disable the security layer and use plain HTTP with no secure communication for instance. This capability is only provided for interoperability reasons with legacy products or network devices. It is strongly recommended not to disable security options. When HTTPS is enabled, all communications done on the HTTP port are automatically redirected to the HTTPS port.

Modbus TCP Communications

The PowerTag Link gateway supports Modbus TCP network communications. When Modbus TCP service is enabled, it is strongly recommended to secure the protocol usage by activating and configuring Modbus IP filtering.

This feature allows you to restrict the access of the PowerTag Link Modbus service to the sole network endpoints that are explicitly configured in the filters.

Product Web Server Certificate

To support HTTP secure communications as soon as the product is installed, the PowerTag Link gateway is equipped with a self-signed X.509v3 certificate by default.

This certificate allows you to setup a HTTPS communication supporting integrity and confidentiality but lacks some enforcements supporting the full communication authenticity (as indicated by most web browsers through a security warning message).

For most sensible installations, it is recommended to replace this certificate and to import the PowerTag Link gateway with a certificate signed by a well-known certificate authority.

Secure Communications with Wireless Sensors and Devices

The use control of wireless communications between the PowerTag Link gateway and wireless sensors and devices is enforced through a pairing mechanism. Only wireless sensors and devices that have been paired with the PowerTag Link gateway can join its wireless network.

In addition, the wireless communications are secured by cryptographic mechanisms supporting the integrity and confidentiality of data exchanged through the wireless network.

Once the pairing is performed, it is recommended to periodically verify the list of paired devices configured in the PowerTag Link gateway to make sure that the listed devices contains no unexpected or rogue devices.

QR Code is a registered trademark of DENSO WAVE INCORPORATED in Japan and other countries.

Was this helpful?

Contact Information
Legal Information
Privacy Policy
Change your cookie settings